F5 Networks BIG-IP : BIG-IP ASM XSS vulnerability (K12002065)

medium Nessus Plugin ID 142038

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

A cross-site scripting (XSS) vulnerability exists in the BIG-IP ASM Configuration utility response and blocking pages. An authenticated user with administrative privileges can specify a response page with any content, including JavaScript code that will be executed when preview is opened. (CVE-2020-5932)

Impact

This vulnerability allows an authenticated attacker to execute a cross-site scripting (XSS) attack when another BIG-IP ASM authenticated administrative user previews the blocking page response body. The blocking page response body is located on the Blocking Page Default section of the Blocking and Response Pages tab in the security policy configuration.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K12002065.

See Also

https://my.f5.com/manage/s/article/K12002065

Plugin Details

Severity: Medium

ID: 142038

File Name: f5_bigip_SOL12002065.nasl

Version: 1.4

Type: local

Published: 10/29/2020

Updated: 11/2/2023

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2020-5932

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_application_security_manager, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Settings/ParanoidReport, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version

Exploit Ease: No known exploits are available

Patch Publication Date: 10/28/2020

Vulnerability Publication Date: 10/29/2020

Reference Information

CVE: CVE-2020-5932